Debian DSA-5106-1 : thunderbird - security update

critical Nessus Plugin ID 159205

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5106 advisory.

- If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. (CVE-2022-26384)

- An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. (CVE-2022-26381)

- When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
(CVE-2022-26383)

- Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.
<br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7. (CVE-2022-26386)

- When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
(CVE-2022-26387)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the thunderbird packages.

For the stable distribution (bullseye), these problems have been fixed in version 1

See Also

https://security-tracker.debian.org/tracker/source-package/thunderbird

https://www.debian.org/security/2022/dsa-5106

https://security-tracker.debian.org/tracker/CVE-2022-26381

https://security-tracker.debian.org/tracker/CVE-2022-26383

https://security-tracker.debian.org/tracker/CVE-2022-26384

https://security-tracker.debian.org/tracker/CVE-2022-26386

https://security-tracker.debian.org/tracker/CVE-2022-26387

https://packages.debian.org/source/buster/thunderbird

https://packages.debian.org/source/bullseye/thunderbird

Plugin Details

Severity: Critical

ID: 159205

File Name: debian_DSA-5106.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/24/2022

Updated: 3/21/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-26384

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:calendar-google-provider, p-cpe:/a:debian:debian_linux:lightning, p-cpe:/a:debian:debian_linux:thunderbird, p-cpe:/a:debian:debian_linux:thunderbird-l10n-af, p-cpe:/a:debian:debian_linux:thunderbird-l10n-all, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ar, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ast, p-cpe:/a:debian:debian_linux:thunderbird-l10n-be, p-cpe:/a:debian:debian_linux:thunderbird-l10n-bg, p-cpe:/a:debian:debian_linux:thunderbird-l10n-br, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ca, p-cpe:/a:debian:debian_linux:thunderbird-l10n-gl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cak, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cs, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cy, p-cpe:/a:debian:debian_linux:thunderbird-l10n-da, p-cpe:/a:debian:debian_linux:thunderbird-l10n-de, p-cpe:/a:debian:debian_linux:thunderbird-l10n-he, p-cpe:/a:debian:debian_linux:thunderbird-l10n-dsb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-el, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-en-ca, p-cpe:/a:debian:debian_linux:thunderbird-l10n-en-gb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hsb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-es-ar, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hu, p-cpe:/a:debian:debian_linux:thunderbird-l10n-es-es, p-cpe:/a:debian:debian_linux:thunderbird-l10n-et, p-cpe:/a:debian:debian_linux:thunderbird-l10n-eu, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hy-am, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fi, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-id, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fy-nl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-is, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ga-ie, p-cpe:/a:debian:debian_linux:thunderbird-l10n-gd, p-cpe:/a:debian:debian_linux:thunderbird-l10n-it, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ja, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ka, p-cpe:/a:debian:debian_linux:thunderbird-l10n-kab, p-cpe:/a:debian:debian_linux:thunderbird-l10n-kk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ko, p-cpe:/a:debian:debian_linux:thunderbird-l10n-lt, p-cpe:/a:debian:debian_linux:thunderbird-l10n-lv, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ms, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nb-no, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nn-no, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pa-in, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pt-br, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pt-pt, p-cpe:/a:debian:debian_linux:thunderbird-l10n-rm, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ro, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ru, p-cpe:/a:debian:debian_linux:thunderbird-l10n-si, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sq, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sv-se, p-cpe:/a:debian:debian_linux:thunderbird-l10n-th, p-cpe:/a:debian:debian_linux:thunderbird-l10n-tr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-uk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-uz, p-cpe:/a:debian:debian_linux:thunderbird-l10n-vi, p-cpe:/a:debian:debian_linux:thunderbird-l10n-zh-cn, p-cpe:/a:debian:debian_linux:thunderbird-l10n-zh-tw, cpe:/o:debian:debian_linux:10.0, cpe:/o:debian:debian_linux:11.0

Required KB Items: Host/local_checks_enabled, Host/Debian/dpkg-l, Host/Debian/release

Exploit Ease: No known exploits are available

Patch Publication Date: 3/21/2022

Vulnerability Publication Date: 3/8/2022

Reference Information

CVE: CVE-2022-26381, CVE-2022-26383, CVE-2022-26384, CVE-2022-26386, CVE-2022-26387

IAVA: 2022-A-0103-S